JasonMiles Posted August 8, 2013 Share Posted August 8, 2013 Microsoft advises that a cryptographic problem in the PEAP-MS-CHAPv2 protocol used in Windows Phone 8 to provide WPA2 authentication allows a victim's encrypted domain credentials to be collected by an attacker posing as a typical WiFi access point. Redmond further states that this problem cannot be patched, although a set of manually entered configuration changes involving root certificates on all WP8 phones and on WiFi access points will apparently address the issue. WP7.8 phones are likewise vulnerable. Question: Why isn't this on front page? Link to comment Share on other sites More sharing options...
primexx Posted August 9, 2013 Share Posted August 9, 2013 So it's a problem in the public standard, or MS's implementation only? Link to comment Share on other sites More sharing options...
Raa Posted August 9, 2013 Share Posted August 9, 2013 If it was in the public standard it'd be vulnerable on any device, including Windows which widely uses MS-CHAPv2, and I haven't heard of that being breached. I'd venture a guess to say it's an error in WP8 programming... Be interesting to see how this story develops. Link to comment Share on other sites More sharing options...
articuno1au Posted August 9, 2013 Share Posted August 9, 2013 It's in the standard. Every device that doesn't enforce signed certificates before the exchange is vulnerable to this. EDIT::The original disclosure of the issue. Microsoft are just acknowledging the leak in WP. It's not new. http://wifihere.blogspot.com.au/2012/11/peap-mschapv2-vulnerability.html Second edit:: As to why it's not on the front page, it's a next to careface exploit that allows for very targeted attacks on networks running enterprise (ha) encryption schemas without proper configuration. This is a notification for people who need to be told not to stop chain saw chains with their testicles. Link to comment Share on other sites More sharing options...
Recommended Posts